The International Telecommunications Union (ITU) and Cyber Accountability

The International Telecommunications Union (ITU) is the United Nations (UN) specialized agency for information and communications technologies (ICTs).¹ For more on the history of the ITU, see G. Balbi & A. Fickers, eds., 2020, “History of the International Telecommunication Union (ITU),” Transnational techno-diplomacy from the telegraph to the Internet, (Berlin: De Gruyter). It is an intergovernmental organization with a technical focus and regulatory function. While it has not played as central of a role in UN dialogues about state use of ICTs in the context of international peace and security as some other bodies have, it is nonetheless an important actor with long-established legitimacy as a trusted and competent governance body and platform for general ICT standardization and regulation.

What is the ITU?

Founded in 1865 by a group of 20 European states at the dawn of the telegraph era, the organization that came to be called the International Telecommunications Union (ITU) officially became a part of the United Nations (UN) in 1942, making it the oldest agency of the organization. Over time, the ITU has gained importance for its work in standardizing technologies such as telegrams, telephones, radios, and satellites as well as building out communications capabilities of its member states. In the 21st century, the ITU remains a crucial global platform, shaping telecommunications on various levels.² “About International Telecommunications Union,” ITU website, 2024, https://www.itu.int/en/about/Pages/default.aspx.

The ITU consists of two types of members: member states, encompassing 193 countries, and sector members, comprising roughly 900 private-sector corporations. This latter category is per a 1994 ITU constitutional change, which allowed nongovernmental actors from the private sector to join the ITU.³ ITU, “Membership,” ITU website, n.d., https://www.itu.int/hub/membership/. Sector members are active in the subsidiary bodies of the ITU, but do not have voting rights in the ITU plenipotentiary conferences. ITU sector members come mainly from the private sector, the technical community, and academia.⁴ ITU, “ITU’s growing and evolving membership,” ITU website, May 2022, https://www.itu.int/en/mediacentre/backgrounders/Pages/itus-evolving-membership.aspx.

Oversight is provided by the ITU Secretary-General who collaborates closely with the ITU Council, an elected entity composed of a quarter of the member states. Every four years, member states assemble for a plenipotentiary conference, a platform for decisions on elections, strategic plans, and financial affairs. At plenipotentiary conferences, recommendations are turned into resolutions, which are voted on by council members. These resolutions hold significant consequences for global ICT regulation, standards, and policies.

The ITU’s operations revolve around three technical sectors: a Telecommunication Standardization Sector (ITU-T), dedicated to international standards concerning topics such as internet connectivity and 5G technology; a Radiocommunication Sector (ITU-R), responsible for managing radio systems, including satellite ownership and spectrum allocation; and the Development Sector (ITU-D), offering technical and capacity services to close the digital divide and drive digital transformation.⁵ The NATO Cooperative Cyber Defence Centre of Excellence, “The International Telecommunications Union,” CCDOE, n.d., https://ccdcoe.org/organisations/itu/.

Relevance to Cyber

In response to evolving concerns about cyber threats and misuse of ICTs, the World Summit on the Information Society (WSIS) was established by the UN and was initiated by the ITU through a two-phase summit in 2003 to establish a shared framework for viewing and regulating ICTs across countries.⁶ United Nations, “World Summit on the Information Society (WSIS),” UN website, https://sustainabledevelopment.un.org/index.php?page=view&type=30022&nr=102&menu=3170. The WSIS allocated specific roles to various UN agencies for ICT regulation. In this context, its Action Line C5 tasked the ITU with the role in “building confidence and security in the use of ICTs.”⁷ ITU, “Action Line C5 (Building Confidence and Security in the Use of ICTs)—National Cybersecurity Strategies for Sustainable Development”, ITU website, 2016, https://www.itu.int/net4/wsis/forum/2016/Agenda/Session/120. As a result, the ITU launched an effort called the Global Cybersecurity Agenda (GCA) to fulfill this mission. The GCA is built upon five pillars: legal measures; technical & procedural measures; organizational structures; capacity-building; and international cooperation.⁸ Chief Judge Stein Schjølberg, Report of the Chairman of the High-level Expert Group, 2008, https://www.itu.int/en/action/cybersecurity/Documents/gca-chairman-report.pdf and ITU, “Global Cybersecurity Agenda,” International Telecommunications Union: Cybersecurity, https://www.itu.int/en/action/cybersecurity/Pages/gca.aspx.

Action Line C5 also emphasized the ITU’s responsibility for fostering topics such as global collaboration on trust, data protection, preventing the misuse of ICTs, and encouraging UN engagement in enhancing ICT security.

The ITU has developed an extensive program on cybersecurity. Three activities are particularly relevant for promoting accountability in cyberspace: the Global Cybersecurity Index, National Cybersecurity Strategies, and the National CIRT program. These efforts are described below.

Global Cyber Index

The Global Cybersecurity Index (GCI) was initiated in 2015 under the framework set out by the earlier 2007 Global Cybersecurity Agenda. The description on the ITU’s webpage states that the GCI is a “trusted reference that measures the commitment of countries to cybersecurity at a global level—to raise awareness of the importance and different dimensions of the issue.”⁹ ITU, “Global Cybersecurity Index,” ITU website, 2024, https://www.itu.int/en/ITU-D/Cybersecurity/Pages/global-cybersecurity-index.aspx. This Index is used to identify areas of strength and growth in cybersecurity and to highlight good practices, as well as cybersecurity commitments for member states to implement as suitable to their national environment. As stated in ITU Plenipotentiary Resolution 130, the ultimate goal of the Index is to foster a global culture of cybersecurity and the integration of cybersecurity at the core of information and communication technologies.¹⁰ ITU, “Highlights: ITU Plenipotentiary Conference 2022,” ITU website, 2022, https://pp22.itu.int/en/newsroom/highlights.

The index has four editions so far, with a fifth edition scheduled to be released later in 2024.¹¹ ITU, “Global Cybersecurity Index.” It reflects a consultative process that starts with the development of a questionnaire, which is revised and adapted on the basis of inputs received from member states and the GCI Expert Group (earlier editions included a GCI Correspondence Group, now part of the Expert Group). Member states are invited to participate by designating focal points for data collection. Responses are collected through an online portal. The Telecommunication Development Bureau (BDT) Secretariat conducts secondary data collection, refines responses, and produces a validated questionnaire for analysis. For countries that did not respond to the questionnaire, publicly available data and online research form the basis of collected data, which are reviewed and validated where possible. The process culminates in a report that summarizes trends and best practices of ITU member states around the world.

The Index’s conceptual framework is based around the same five pillars of the GCA: legal measures, technical and procedural measures, organizational structures, capacity-building, and international cooperation.

The GCI was recently restructured into levels of commitment, moving away from rankings to provide a more meaningful assessment of countries’ strengths and areas for improvement. Between 2015 and 2024, the number of member states participating in the GCI grew from 105 to 172 countries.

The Index has been a valuable contribution to identifying areas for improvement and promoting the adoption of best practices in cybersecurity. Further, the Index complements other, ongoing efforts taken by countries, companies, civil society organizations, and individuals to ensure a secure cyberspace.

National Cybersecurity Strategy Development

Robust national cybersecurity strategies can play a vital role in fostering secure and resilient digital growth, especially in developing nations. Building on the established GCI framework, the ITU supports countries in crafting effective national strategies.

To provide countries with a clear framework for developing their national strategies, the ITU led a group of 25 organizations in developing a Guide to Developing an NCS, currently in its second edition.¹² The NCS Guide 2021, https://ncsguide.org/the-guide/. The NCS guide forms the basis for ITU’s BDT and the work of other implementing organizations when supporting countries’ efforts to develop or update their national cybersecurity strategies. The guide is scheduled for revision in 2025 to reflect evolving technology and policy needs and has been accompanied by a series of online trainings.

The guide’s strength lies in its demonstrated ability to provide a standardized approach for various implementing agencies, ensuring consistency across implementation efforts. Furthermore, the guide is designed to be adaptable to each country’s specific political, economic, and social context and can be independently used by countries. This adaptability guarantees that strategies developed have local ownership and meet local needs.

National CIRT Program and Activities

National Computer Incident Response Teams (CIRTs) serve as a national focal point for coordinating cybersecurity incident response within a country. The ITU works with its member states to build capacity at national and regional levels.¹³ ITU, “National CIRT”, ITU website, n.d., https://www.itu.int/en/ITU-D/Cybersecurity/Pages/national-CIRT.aspx. One way in which it does so is through a CIRT assessment, which helps to define a state’s readiness to implement a national CIRT. After the CIRT assessment, the ITU assists with planning, implementation, and operation of the CIRT. At the time of writing, the ITU has completed assessments for 80 countries and helped to establish or enhance CIRTs in 17 countries.¹⁴ Ibid. The ITU’s CIRT framework helps to break down the phases of CIRT development through to establishment and provide ongoing support and maintenance.¹⁵ ITU, ITU cybersecurity programme: CIRT framework, 2021, https://www.itu.int/pub/D-STR-CYBERSEC-2021-01. Within the framework, the role of different stakeholders with respect to national CIRTs are identified and clarified.

National CIRTs are an excellent way to assess threats in environments with capacity constraints and to develop a path forward toward resilience and positive accountability. As an emergency response mechanism, the CIRT initiative models accountability, both in terms of outlining the best practices that states can undertake based on their baseline capabilities, as well as preventative/responsive measures to crises. They also incentivize reporting in a timely manner.

Key Takeaways and Recommendations

Existing ITU activities and projects such as those described here could be better leveraged and recognized for their contribution toward building accountability, particularly positive accountability. For example, and as noted online, the GCI provides a “complement to other measures related to cybersecurity by enabling countries to identify where action has been taken, what action may be insufficient, and how to understand the landscape of successes.”¹⁶ “Global Cybersecurity Index: Frequently Asked Questions”, June 25, 2021, https://www.itu.int/en/ITU-D/Cybersecurity/Documents/GCIv4/GCI-FAQ.pdf. Such benchmarking and monitoring of capabilities, priorities, and needs is a core aspect of accountability.

Bolstering the capacity of national CIRTs and national cybersecurity strategies—core components of responsible behavior—correlates to positive accountability. National CIRTs model accountability, both in terms of outlining the best practices states can undertake based on their baseline capabilities, as well as preventative/responsive measures to crises. Effective national mechanisms and institutional structures are vital for reliable and effective responses to cyber threats and incidents.

While not studied in detail as a part of this case study, the ITU’s growing body of work to promote gender diversity in the field of cybersecurity can also be seen to bolster accountability.¹⁷ DigWatch, “ITU launches new initiative for empowering women in cybersecurity policy and diplomacy,” June 25, 2023, https://dig.watch/updates/itu-launches-new-initiative-for-empowering-women-in-cybersecurity-policy-and-diplomacy. An aspect of accountability is considering the crucial question: who is accountable to whom, which must include historically marginalized individuals or communities that are too often left out of cybersecurity policymaking or technical activities yet can be disproportionately impacted by malicious cyber activity. Moreover, due to the inherently multistakeholder nature of cyberspace, the involvement of multiple stakeholders, including private entities and civil society, is imperative for comprehensive regulation. The approach of the ITU in allowing nongovernmental actors to participate is noteworthy, although the preference given to the private sector reduces the impact and participation of other types of stakeholders. As with any international organization, the ITU is not immune to the geopolitical challenges that often beset such organizations, not least in the area of international cybersecurity. Yet, its long-standing role as a governance body and platform for ICT standardization and regulation more generally represent core components of efforts to globally advance cyber accountability.

Notes

• 1
  For more on the history of the ITU, see G. Balbi & A. Fickers, eds., 2020, “History of the International Telecommunication Union (ITU),” Transnational techno-diplomacy from the telegraph to the Internet, (Berlin: De Gruyter).
• 2
  “About International Telecommunications Union,” ITU website, 2024, https://www.itu.int/en/about/Pages/default.aspx.
• 3
  ITU, “Membership,” ITU website, n.d., https://www.itu.int/hub/membership/.
• 4
  ITU, “ITU’s growing and evolving membership,” ITU website, May 2022, https://www.itu.int/en/mediacentre/backgrounders/Pages/itus-evolving-membership.aspx.
• 5
  The NATO Cooperative Cyber Defence Centre of Excellence, “The International Telecommunications Union,” CCDOE, n.d., https://ccdcoe.org/organisations/itu/.
• 6
  United Nations, “World Summit on the Information Society (WSIS),” UN website, https://sustainabledevelopment.un.org/index.php?page=view&type=30022&nr=102&menu=3170.
• 7
  ITU, “Action Line C5 (Building Confidence and Security in the Use of ICTs)—National Cybersecurity Strategies for Sustainable Development”, ITU website, 2016, https://www.itu.int/net4/wsis/forum/2016/Agenda/Session/120.
• 8
  Chief Judge Stein Schjølberg, Report of the Chairman of the High-level Expert Group, 2008, https://www.itu.int/en/action/cybersecurity/Documents/gca-chairman-report.pdf and ITU, “Global Cybersecurity Agenda,” International Telecommunications Union: Cybersecurity, https://www.itu.int/en/action/cybersecurity/Pages/gca.aspx.
• 9
  ITU, “Global Cybersecurity Index,” ITU website, 2024, https://www.itu.int/en/ITU-D/Cybersecurity/Pages/global-cybersecurity-index.aspx.
• 10
  ITU, “Highlights: ITU Plenipotentiary Conference 2022,” ITU website, 2022, https://pp22.itu.int/en/newsroom/highlights.
• 11
  ITU, “Global Cybersecurity Index.”
• 12
  The NCS Guide 2021, https://ncsguide.org/the-guide/.
• 13
  ITU, “National CIRT”, ITU website, n.d., https://www.itu.int/en/ITU-D/Cybersecurity/Pages/national-CIRT.aspx.
• 14
  Ibid.
• 15
  ITU, ITU cybersecurity programme: CIRT framework, 2021, https://www.itu.int/pub/D-STR-CYBERSEC-2021-01.
• 16
  “Global Cybersecurity Index: Frequently Asked Questions”, June 25, 2021, https://www.itu.int/en/ITU-D/Cybersecurity/Documents/GCIv4/GCI-FAQ.pdf.
• 17
  DigWatch, “ITU launches new initiative for empowering women in cybersecurity policy and diplomacy,” June 25, 2023, https://dig.watch/updates/itu-launches-new-initiative-for-empowering-women-in-cybersecurity-policy-and-diplomacy.